How to disable the DES and 3DES ciphers on Oracle WebLogic Server Node Manager Port(5556) in Red hat linux server. I tried with many solutions, but not working as expected. Here is my SSLCipherSuite code in ssl.conf file.
SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,!aNULL,!eNULL,!LOW,!MD5,!EXP,!PSK,!SRP,!DSS,!RC4,!3DES
Best Answer
Remove the ciphers
SSL_RSA_WITH_3DES_EDE_CBC_SHA
andSSL_RSA_WITH_DES_CBC_SHA
from your cipher list. You should also removeSSL_RSA_WITH_RC4_128_MD5
andSSL_RSA_WITH_RC4_128_SHA
from the list as they are both considered insecure. I don't believe you get any benefit from the!aNULL,!eNULL,!LOW,!MD5,!EXP,!PSK,!SRP,!DSS,!RC4,!3DES
specifications if you are listing individual ciphers.If your server is internet accessible, consider running an SSLLabs Analysis on your server. If not, you could use
nmap –script ssl-enum-ciphers
to check your configuration.You should be disabling the ciphers in your Java configuration. See: https://security.stackexchange.com/questions/120347/how-to-disable-weak-cipher-suits-in-java-application-server-for-ssl for details.
You may want to consider using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. However, Java has had a problem with these ciphers causing 1 in 256 connections with standards compliant hosts to fail. This should be fixed in the latest release.
You should be able to set a secure set of ciphers by adding the ciphers to your Java command line. (Use only the last cipher unless you are on the latest Java version.)
If you want to use 256 bit encryption, duplication each cipher in order and change 128 to 256 in one of the duplicates. There doesn't seem to be a good reason to use 256 bits, and there are reports that using 256 bits may enable some timing attacks.